Here are three challenges we’ve focused on solving with smart technology:

Manually collecting, normalizing, and correlating eventsSorting through alerts and gathering intelligence one threat at a timeSpeeding up incident investigations and time to contain/respond

With the help of InsightIDR, our MITRE ATT&CK-focused SIEM, these issues are addressed with automation and behavioral analytics. Let’s walk through a typical investigation to highlight how InsightIDR makes our incident response lifecycle both precise and scalable.

Using InsightIDR as a Rapid7 SOC analyst

Since all of our security log data is centralized and retained in the cloud-based Insight platform, our team can avoid expensive and ever-scaling hardware and database deployments. And, because we don’t need to worry about “running” InsightIDR—configuring hardware, or log collection—our energy is focused on interpreting what InsightIDR outputs in alerts and dashboards, and using that information to improve our security posture.

Start responding to threats like a Rapid7 SOC analyst with a free 30-day trial of InsightIDR.

The first step in our investigation process is to understand what happened. Many modern SIEMs today offer user behavior analytics (UBA), which identifies anomalous user behavior across your environment. This can include suspicious websites visited, malicious document downloads, or actions that indicate an adversary may be impersonating a company employee. While this is critical to finding unknown attacks, malicious use of credentials, and lateral movement, UBA typically identifies threats further down in the kill chain.

Therefore, the SOC teams created a wide range of detections to specifically find attacker behaviors, which have been added as attacker behavior analytics (ABA) to InsightIDR. Attacker behaviors include signature- and process-based attacks, specific attacker tools, PowerShell patterns, Meterpreter sessions, and more. These are all indicators of malicious intent and help us quickly narrow in on real threats, sifting out the false positives.

This combination of user and attacker behavior analytics, along with traditional threat intelligence and deception technology, gives us monitoring opportunities at each stage of an attack.

And, since the Insight agent can be deployed on endpoints and servers across our entire network, InsightIDR obtains 24/7 coverage of users no matter where they are. InsightIDR also pulls in data from Active Directory, DHCP, LDAP, and DNS, and gathers events from our firewalls, IDS, IPS, and so on. It then correlates this information back to specific assets and users both on and off the network. All of this information comes to us as condensed alerts filled with actionable context.

Step 2: Gathering threat intelligence

The next step is gathering more information about an event to effectively determine what we’re dealing with and the best course of action. Our SOC team works closely with our managed detection and response (MDR), threat intelligence, and incident response services teams to continuously identify new threats and the behaviors associated with them. We feed that intel directly into InsightIDR so that our SOCs, and those of our customers, can gain access to that intel from within their investigations.

During investigations, we can pivot through log data with the built-in search to see what happened in the surrounding timeframe. Since log search, endpoint forensic jobs, and user context are all available within InsightIDR, we save time by avoiding jumping between multiple tools.

Step 3: Correlating events

Combined with threat intelligence, UBA and ABA offer rich information that helps our SOC team better detect and respond to threats. But if there is no way to correlate all of these details, it can be a long and grueling process. This is another feature built right into InsightIDR.

We can skip creating pivot tables and timelines in Excel with the user attribution and data enrichment automatically performed by the UBA in InsightIDR. Every employee at Rapid7 has a prebuilt user page that details notable user behaviors, asset information, remote authentications, and even known vulnerabilities from InsightVM scan data.

Step 4: Responding to threats with speed

Armed with information on user activity, network, and the endpoint, the final steps are to contain and respond to the threat. We launched additional automation capabilities to the Insight platform on Oct. 1. Now, InsightIDR alerts can be fed into designated automation workflows directly from an investigation, making routine tasks like phishing investigations, malware containment, and even disabling user accounts simple to move forward automatically. This saves our SOC team from spending hours each day on important but ultimately repetitive and tedious tasks.

As a result, we have more time to spend on threat hunting, responding to threats, and continuously improving our own processes.

End-to-end investigation workflow

To color what the above steps look like in a complete workflow, we created a three-minute video that walks through a detection to response scenario in InsightIDR:

Whenever InsightIDR generates an alert, it creates an open investigation that includes important user and asset context. The information is sorted into a clear timeline so you can see how the issue started, what assets were affected, and the evidence (e.g., DNS queries, firewall traffic, etc.)

With built-in automation in InsightIDR, we can kick off various workflows to take immediate actions, getting us closer to completing the investigation and moving on to the next one. This process allows us to truly magnify our impact, and get to the bottom of threats faster.

Conducting incident detection and response at scale

Having visibility across our entire network, no matter where an asset or user is, has been key for us. Without any rules to write, and leveraging threat intelligence from Rapid7’s team of security experts, our team can operate at great scale. Our customers have access to the exact same solutions and intelligence out-of-the-box with InsightIDR. In fact, our customers benefit from everything we as a company do to improve our own processes and outcomes.

Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.

Promoted Content

30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR

Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate.
From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network.
InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.